if (strstr($subject, "\r") || strstr($subject, "\n")) die("spammer");
if (strstr($from, "\r") || strstr($from, "\n")) die("spammer");
That right there will kill off most of your header injection attacks,
assuming you have already got $from = $_REQUEST['from'] or something
similar.
The main thing is to make sure your HEADERS are clean with no injected
junk to insert more Cc: headers or MIME stuff that shouldn't be there.
You can also "throttle" the amount of email you are willing to send
out on behalf of a single IP address -- while this might not work for
high-volume sites with heavily skewed userbase of corporate America
behind firewalls, or AOL users whose IP address changes faster than
drummers change their underwear, it works well for small-scale sites
with reasonable limits of a handful of emails per IP per 24-hour
period.
What is best to do depends on your target audience, who is getting the
emails, who is sending them, and what constitutes "normal" usage.
Security is rarely an off-the-rack solution
:-)
On Wed, December 6, 2006 3:09 pm, Peter Lauri wrote:
> Hi,
>
>
>
> Are there any general protection methods to minimize the risk of
> robots
> using your mailing forms as spam senders?
>
>
>
> /Peter
>
>
>
>
>
>
>
>
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
